Physical unclonable functions (PUFs) have proven to be advantageous alternatives for many forms of secure identification, including the storing of keys, identifiers and the like in secure memories.
A physical unclonable function exploits manufacturing variations to derive a digital identifier. The digital identifier is thus tied to a physical medium. Because the physical unclonable function depends on random process variations, it is easy to create a PUF but it is very hard, if not downright impossible, to create a PUF which would give rise to a particular pre-determined identifier. The manufacturing variations lead to different physical characteristics of the memory element. For example, the physical characteristics may include: doping concentrations, oxide thickness, channel lengths, structural width (e.g. of a metal layer), parasitics (e.g. resistance, capacitance) and the like. When a digital circuit design is manufactured multiple times, these physical characteristics will vary slightly and together they will cause the behavior of an IC element, e.g., a memory element, to behave differently in some situations. For example, the start-up behavior is determined by manufacturing variations in the physical characteristics.
A convenient choice for PUFs are volatile memories, in particular flip-flop based memories, more in particular, static random access memories (SRAM). Such memories are easy to evaluate and low in manufacture costs. A PUF based on SRAM are called SRAM PUFs. SRAMs have the property that after they are powered-up, they are filled with a random pattern of on-bits and off-bits. Although the pattern may not repeat itself exactly if the SRAM is powered-up a next time, the differences between two such patterns is typically much smaller than half the number of bits in the state. The difference between memory power-up contents of the same SRAM is generally much smaller than the difference between memory power-up contents of different SRAMs.
Since the PUF may not give the exact same result when the same challenge is evaluated twice, a so-called Helper Data algorithm, also known as a Fuzzy Extractor, may be used to ensure that the key will be the same, each time it is derived. One way of using helper data to construct reproducible values from noisy measurements is described, e.g., in international patent application WO 2006/29242, “Template Renewal in Helper Data Systems”, etc.
One application of PUFs, in particular SRAM PUFs is to derive a cryptographic key on an electronic circuit. The electronic circuit typically includes an integrated Circuit (IC) and/or programmable logic.
One advantage of PUFs is that they inherently possess tamper resistant qualities. Without a PUF, the cryptographic key may be recovered by an attacker, by mounting a physical attack on the non-volatile memory where the key is traditionally stored. For example, the attacker may open the memory and probe its content. Using a PUF makes this type of attack much harder, since opening the PUF will typically disturb it; probing say an SRAM for its dynamic contents is much harder than probing embedded Non-Volatile Memory. Accordingly, information the attacker learns from his probe is not related to the interaction which was used to create the cryptographic key. This makes it harder for an attacker to find the key using a physical attack.
Unfortunately, intrusive physical attacks are not the only attack vector along which an attacker may obtain at least some information on the internal state of the PUF. So-called side channels may also leak information. A side-channel is an information source on a system related to physical phenomena occurring inside the system that may be observed from outside the system and that reveals information which, at least to some extent, is correlated with the internal operation and/or state of the system, other than its intended, observable, input-output behavior.
Power consumption, time consumption and electromagnetic radiation are examples of side-channels that are relevant to cryptographic systems. For example, the power consumption of a cryptographic system monitored while the system uses a cryptographic key may to some extend be correlated to the key. As it is of prime importance to keep the cryptographic key confidential, any leakage of information correlated with that key is problematic.
In international patent application PCT/EP2010/051631, published as WO/2010/100015, with title “System for establishing a cryptographic key depending on a physical system” discloses solutions to reduce side-channel leakage occurring during the error correction part of the key derivation from a PUF, i.e., during execution of the Helper Data algorithm. The error correction is a particularly important phase to avoid side channel leakage, since it handles the sensitive data multiple times, introducing multiple non-linear correlations. Furthermore, if the error correction is implemented in software the leakage is magnified.